Mark Leigh, One Commercial Partner Lead, Microsoft Australia
There’s a huge regulatory change just around the corner. And with it comes a $3.5 billion business opportunity. Two-thirds of Australian companies that know they’re affected expect to make significant changes. But half aren’t even sure they need to comply.
What is it? Europe’s landmark General Data Protection Regulation (GDPR).
Part of the confusion locally lies in this massive data protection scheme being European. Yet a basic look at its requirements show that many Australian organisations have obligations under the new law, set to take effect from 25 May. It covers any organisation that controls or processes the personal data of European Union (EU) residents. For example:
- Australian entities that operate businesses established in an EU member state
- Australian-based entities that offer goods or services to individuals in the EU, irrespective of whether payment is required
- Australian-based entities that monitor the behaviour of individuals in the EU, where that behaviour takes place within the EU
With data protection making news headlines on an almost daily basis, the law aims to improve data handling and make businesses more accountable for personal customer information. It unifies data protection legislation across all 28 EU countries.
Penalties for failing to comply are significant with fines of up to €20 million ($32 million) or 4 per cent of global annual turnover, depending which is greater. Other risks include audits, compensation claims, class action lawsuits and regulators seeking orders to cease activity.
Local relevance
Having come into effect on February 22, The Australian Notifiable Data Breach (NDB) scheme calls on businesses to disclose to both affected customers and the authorities if you have a data breach “likely to result in serious harm” to those whose data is involved. Non-compliant businesses could be hit with fines of up to $1.8 million and untold reputational damage, yet studies show that 44 per cent of Australian businesses were not fully prepared at the time of its implementation.
Both GDPR and NDB are aligned on goals to strengthen personal information security and increase transparency on data-related activities. For Australian Partners, there is an opportunity to create an ongoing revenue stream through the ongoing compliance process.
The partner opportunity
While many businesses are still scrambling to determine if the law applies to them, GDPR compliance represents a significant opportunity for Microsoft partners. You have a critical role to play in helping customers adapt to the new regime. We know this because customers are telling us they need help.
And it’s not just about ensuring customers are on the right side of the law. Looking beyond the compliance burden, companies want to know what competitive opportunities GDPR offers them. Some organisations will see a chance to use GDPR as a differentiator, recognising that customers who worry how you’ll treat their data are more likely to take their business elsewhere.
After all, 69 per cent of Australians are more concerned about their online privacy than they were five years ago. In 2017, 16 per cent would avoid dealing with a government agency because of privacy concerns and 58 per cent would avoid dealing with a private company for the same reason.
PwC found GDPR is the top data-protection priority for more than half of US-based multinationals. More than three-quarters of those surveyed expect to spend at least $US1 million on GDPR. Globally, IDC estimates GDPR will be a $US3.5 billion security products and services opportunity.
Four pillars of compliance
There are four main areas where you can help customers navigate GDPR compliance – discovery, management, protection and reporting.
- Discovery – Performing assessments of company security and risk areas, locating data that may be GDPR relevant, developing a compliance plan
- Management – Ensuring data governance is in place, including controls over who has access to key data
- Protection – Developing plans to proactively secure data, including monitoring and analysis of threat information
- Reporting – Supporting compliance with data requests and meeting notification requirements
Simplifying problem solving
Microsoft Intelligent Compliance tools – including Compliance Manager and Azure Information Protection Scanner – have been designed to simplify regulation-to-audit compliance processes for Microsoft cloud services. They make it easier to configure policies that automatically discover, classify, label and protect documents in repositories like file servers or SharePoint servers.
Digital transformation projects have generated huge cost savings and productivity benefits while improving customer experiences. But they’ve also added new consumer data vulnerabilities in an age of stronger regulation.
Securing data and improving accountability depends on smart applications of digital technology and strategic advice from those who understand risk. Don’t let this chance to strengthen existing customer relationships pass you by.
Resources
Learning Path: General Data Protection Regulation (GDPR) Foundational Training (18237)
Top GDPR Resources for Partners
Develop Security and Compliance Practices